Companies operating in industries regulated by the U.S. Food and Drug Administration (FDA) that choose to maintain electronic records or use electronic signatures must comply with CFR 21 Part 11.
Companies in the life sciences industry such as pharmaceutical companies, biotechnology companies, medical device manufacturers, and clinical research organizations handle vast amounts of sensitive Protected Health Information (PHI). Organizations have two types of processes, well defined and ad-hoc project based. Well defined and documented processes usually have assessed the data that is processed and have safeguards in place to protect the confidentiality and integrity of all processed PHI. There are however a lot of projects and ad-hoc activities that require the management of various sensitive documents and complications of PHI.
Pharmaceutical companies need to share sensitive documents such as research data, clinical trial results, regulatory filings, and intellectual property documents with regulatory authorities, research partners, contract manufacturers, and legal teams. Biotech companies share genomic data, proprietary formulations, and licensing agreements with academic institutions, research collaborators and investors. These activities require the sharing of unstructured data such as documents.
Life science companies need a generic file and folder sharing solution that by default complies with CFR Part 11, without any specific setup and ongoing maintenance.
End-to-end encryption as a technological gateway enabling the cloud
Simply using a cloud storage solution for sharing documents immediately results in non-compliance of 21CFR11.10(d): and 21CFR11.30, because all documents are implicitly shared with the cloud provider over which the company has no control. Using an on-premise solution on the other hand has huge drawbacks, because it does not meet the needs of a modern organization and carries unacceptable security risks. On-premises solutions need to be continually patched, and storage space needs to be maintained with dedicated IT staff. Companies are not capable of guaranteeing 99.9+% of uptime and immediate patching of vulnerabilities. Fortunately cloud storage providers such as Tresorit bring all the advantages of the cloud that a modern organization needs and can guarantee using a technology called End-to-End encryption that the provider (in this case Tresorit) has no access to any of the stored files. With this technology every file is encrypted on the device of the user and importantly all encryption keys are also managed on the users’ devices. What is even more important that from the user’s perspective the solution is like any other cloud storage provider and the user does not have to worry about managing encryption keys. As described in 21CFR11.30 additional measures such as document encryption can guarantee the authenticity, integrity and confidentiality of the documents.
Electronic signature of documents
During many workflows such as approvals, contracts or checklists an employee needs to sign a document. These documents may also contain a lot of sensitive information such as PHI. Tresorit eSign allows organizations to cryptographically sign PDF documents that is in line with 21CFR11.50. A document can be signed by one or more users and every signature has the (1) the printed name of the signer; (2) The date and time when the signature was executed; and it is possible for users to add (3) The meaning (such as review, approval, responsibility, or authorship) associated with the signature. Every signature can be validated using a PDF reader such as Adobe Acrobat reader. Once a signature has been added to a document the document cannot be further modified without invalidating the signatures.
Checklist of 21CFR11.10 defined controls
CFR 21 Part 11 requires multiple controls to be in place for the management of electronic records, this table can help your organization to evaluate Tresorit an end-to-end encrypted file sharing and electronic signature platform.
|(a) Validation of systems to ensure accuracy, reliability, consistent intended performance, and the ability to discern invalid or altered records.||Tresorit provides availability of 99.9+% to guarantee the availability of all data. When downloading a file from the cloud during the decryption process every file is validated cryptographically, guaranteeing that no file was altered in the cloud.|
|(b) The ability to generate accurate and complete copies of records in both human readable and electronic form suitable for inspection, review, and copying by the agency. Persons should contact the agency if there are any questions regarding the ability of the agency to perform such review and copying of the electronic records.||Tresorit manages files and folders that are the easiest to interact with objects in an IT environment. Sharing files and folders with the FDA can be done in multiple ways. If there is a secure channel to share the folder, then that can be used. Tresorit provides a secure channel using encrypted links together with email authentication and password protection to share files or even whole folders with a third party.|
|(c) Protection of records to enable their accurate and ready retrieval throughout the records retention period.||All encrypted content is stored redundantly and replicated three times inside the selected primary region of the customer. This provides at least 99.999999999% (11 nines) durability of files for a given year. See https://support.tresorit.com/hc/en-us/articles/4407206932114-Incident-management-business-continuity-disaster-recovery for more information.|
|(d) Limiting system access to authorized individuals.||Inviting members to folders is easy and secure. Different permissions can be applied, such as Manager, Writer, and Reader. When sharing a folder cryptographic assess is given to the user. Only the users the folder has been share with can decrypt the contents of the folder.|
|(e) Use of secure, computer-generated, time-stamped audit trails to independently record the date and time of operator entries and actions that create, modify, or delete electronic records. Record changes shall not obscure previously recorded information. Such audit trail documentation shall be retained for a period at least as long as that required for the subject electronic records and shall be available for agency review and copying.||The deletion of files can be performed by end-users, but this deletion can be disabled by policies, so administrators can have control over the deletion documents. Every folder has an activity wall where every file creation, modification, deletion is logged with a timestamp and identity of the user performing the action. Activity can even be exported into a CSV file.|
|(f) Use of operational system checks to enforce permitted sequencing of steps and events, as appropriate.||Tresorit ensures that every modification of every file is recorded even in case of simultaneous modifications by different users conflict files are created. Tresorit also ensures that signed document cannot be modified, any modified documents signature would immediately become invalid.|
|(g) Use of authority checks to ensure that only authorized individuals can use the system, electronically sign a record, access the operation or computer system input or output device, alter a record, or perform the operation at hand.||Tresorit enforces strong authentication that ensures only the authorized individual has access to the system. This is supplemented with end-to-end encryption that guarantees that a user can only decrypt their profile with the knowledge of their password. When signing documents Tresorit validates that the user performing the action has control over the email address to which the signature is linked. The cryptographic signature also ensures that the signed document cannot be altered. Tresorit can also be integrated with SSO solutions.|
|(h) Use of device (e.g., terminal) checks to determine, as appropriate, the validity of the source of data input or operational instruction.||Tresorit is used to collaborate on unstructured data, where this control is not relevant. Of course, all meta-data such as email addresses are checked by Tresorit software and any data that is displayed on screen is always escaped for security reasons to avoid XSS and similar attacks.|
|(i) Determination that persons who develop, maintain, or use electronic record/electronic signature systems have the education, training, and experience to perform their assigned tasks.||Tresorit boasts a highly skilled development team, which includes talented cryptographers, working diligently to maintain a world-class Software as a Service (SaaS) product. The team possesses deep expertise in encryption and security, ensuring the robustness and reliability of the platform. With our collective knowledge and experience, Tresorit strives to deliver a secure and dependable file storage and sharing solution to our users.|
|(j) The establishment of, and adherence to, written policies that hold individuals accountable and responsible for actions initiated under their electronic signatures, in order to deter record and signature falsification.||In order to establish a clear policy regarding the use of electronic signatures, your organization requires all employees who will utilize electronic signatures to acknowledge their understanding that an electronic signature holds the same legal validity as a hand-written signature. This acknowledgement will be in the form of a statement, signed by each employee, affirming their comprehension of the legal equivalent of electronic signatures. It is also worth highlighting that employees are not to share any login credentials with anyone.|
|(k) Use of appropriate controls over systems documentation including: (1) Adequate controls over the distribution of, access to, and use of documentation for system operation and maintenance. (2) Revision and change control procedures to maintain an audit trail that documents time-sequenced development and modification of systems documentation.||Your organization needs to document in internal polices, on how to collaborate on sensitive data and how to share sensitive data outside of the organization. Tresorit is a great tool that can be leveraged for these operations and can be included as an approved easy to use solution for file management. As with every policy document it should have its own versioning.|
The easy to deploy and maintain solution for files
By leveraging Tresorit's easy-to-use platform with its emphasis on end-to-end encryption, secure collaboration, access controls, audit trails, and secure infrastructure, organizations can achieve compliance with CFR 21 Part 11 for electronic signatures and file management.